
<!-- Start Instructions -->
<h1>Useful Tools</h1>
<p>
Below is a list of tools we've found useful in solving the WebGoat lessons. You will need a proxy like OWASP ZAP or Paros to solve most of the lessons. </p>
<h2>OWASP ZAP:</h2>
<p>
Like WebGoat, Zed Attack Proxy (ZAP) is a part of OWASP and is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually..<br><br>
<img src="images/introduction/UsefulTools-ZAP.png"><br><br>
Webpage: <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a>
<br>The .jar install file can be found at the <a href="http://code.google.com/p/zaproxy/wiki/Downloads?tm=2">OWASP ZAP Google Code Project</a></p>
<p>After installing ZAP and configuring your browser to use it as a proxy on localhost we can start. To intercept a request,  
click the green arrow icon turning it red. If we browse a WebGoat page, ZAP will intercept the HTTP request.
Here we can read and edit the intercepted parameters and headers. After editing is complete press the play icon to submit the request to the server.<br>
<img src="images/introduction/UsefulTools-ZAP_1.png"><br><br>
</p>
<h2>Modern Browsers:</h2>
<p>
Most modern browser have developer tools that will allow you to inspect and modify request data.
<br><br>

<h2>Wireshark</h2>
<p>
Wireshark is a network protocol analyzer. You can sniff network traffic and gather useful
informations this way.<br><br>
<img src="images/introduction/wireshark.png"><br><br>
Webpage:<a href="http://www.wireshark.org" target="_blank">http://www.wireshark.org</a>

</p>

<h2>Scanners (Attacking Proxies):</h2>
<p>
There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to three open source scanners. <br><br>
Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br>
Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br>
OWASP ZAP:<a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a><br>
</p>
<!-- Stop Instructions -->
<br>
